Industrial Ethernet Security With Cp 1543-1 - Siemens SIMATIC ET 200AL System Manual

Industrial Ethernet Security with CP 1543-1

All-round protection - the task of Industrial Ethernet Security
With Industrial Ethernet Security, individual devices, automation cells or network segments
of an Ethernet network can be protected. Data transfer can also be protected by a
combination of different security measures:
● Data espionage
● Data manipulation
● Unauthorized access
Security measures
● Firewall
– IP firewall with stateful packet inspection (layer 3 and 4)
– Firewall also for Ethernet "non-IP" frames according to IEEE 802.3 (layer 2)
– Bandwidth limitation
– Global firewall rules
All network nodes located in the internal network segment of a CP 1543-1 are protected
by its firewall.
● Logging
To allow monitoring, events can be stored in log files that can be read out using the
configuration tool or can be sent automatically to a Syslog server.
● HTTPS
For encrypted transfer of websites, for example during process control.
● FTPS (explicit mode)
For encrypted transfer of files.
● Secure NTP
For secure time-of-day synchronization and transmission.
● SNMPv3
For secure transmission of network analysis information safe from eavesdropping.
● VPN groups
You can combine the CP 1543-1 with other security modules into VPN groups through
configuration. IPsec tunnels are established between all the security modules of a VPN
group (VPN). All internal nodes of these security modules can communicate securely with
each other through this tunnel.
● Protection for devices and network segments
The firewall and VPN groups protective functions can be applied to the operation of single
devices, multiple devices, or entire network segments.
Additional information
An overview with links to the most important contributions on Industrial Security is available
in this FAQ (https://support.industry.siemens.com/cs/ww/en/view/92651441).
242
Function Manual, 12/2017, A5E03735815-AF
13
Communication